ALERT:  Bank Phishing Attack Using SMS Text Messaging

Victims receive a fake text from their ‘bank’ on their cell phone, stating there is a problem with their account.  The text urges them to call a number in their own area code.  When they dial the number provided, they receive the following automated message:

“Thank you for calling [name of bank].  A text message has been sent to inform you that your debit card has been limited due to a security issue.  To reactivate, please press 1 now.”  After pressing 1, the caller is prompted to enter the last 4 digits of their Social Security number, then the full card number and expiration date.

 

This is a mix of scams, known as “SMiShing” – phishing attacks sent via SMS text message – and voice phishing aka “vishing”, where people are directed to call a number that answers with a voice prompt, spoofing their bank and instructing the caller to enter confidential data.

NEVER call your bank from a number in a text or email.  

Always double-check the phone number from your bank’s website.  

 

Security Issues?

Call 1-204-800-3166

For Cyber-Fortress Security!

ALERT:  Old Phishing Tricks For New Victims

 

CyberCriminals are using old phishing tricks to find new victims.

Unfortunately, this phishing scam still works.

Scammers are attacking people with LinkedIn accounts using phishing emails.

These emails claim to be a LinkedIn Tech Support message.  In these fake emails, they state that “irregular activities” are happening on your LinkedIn account, which require a mandatory security update of your account.

They then ask you to fill out an attached HTML form, which is a spoofed LinkedIn page.  The form you fill out does not log you into the LinkedIn site.  Instead, the information you just filled out gets sent to CyberCriminals who then hijack your account.

An easy way to recognize this as a scam, is that the email uses a lowercase “i” instead of a capitol “I” when spelling “LinkedIn”.

Note:  Spelling and grammar mistakes are a huge Red Flag with scam emails.

The scam email looks similar to this:

 

 

 

 

As I said earlier, this is an old scam, but CyberCriminals keep using it because it keeps working.

The only way to stop phishing attacks, is to create a “human firewall” that is educated about these tricks.

Do your part.  Tell others about these ALERTS!

 

Got Malware?

Call 1-204-800-3166

To Get Your Computer CYBER-EXTERMINATED!

Have you been affected by this email scam?  Tell us your experience below!

Just when you think CyberCriminals can’t sink any lower…they prove you wrong.

 

The new phishing scam preys on a parent’s fear for their child.  

 

The scam email looks like a warning for parents about a child predator that moved into their neighborhood.

The email has a subject line such as

“Alert:  There is a child predator living near you!  This information is based on your local area zip code.”

But you don’t remember signing up for such a service (Red Flag!)

When you open the email, it ‘warns’ you that a predator has moved into your area and it provides a link to click on for more information.  If you click on the link, you are re-directed through several sites to land on the “Kids Live Safe” website, which is a service that sells localized reports on sex offenders.  They just send you there to try to look credible, and to distract you from the fact that your computer is now infected with malware that will steal your passwords, credit information, everything from your passwords up to and including your identity.

The email looks similar to this:

 If your computer is infected with malmare, bugs, or other annoying critters,

Call 1-204-800-3166

For A Cyber-Extermination!

The FBI and Internet Crime Complaint Enter is warning about a new global email scam that is targeting companies working with foreign suppliers and/or businesses that regularly perform wire transfer payments.  Please send these people in your company a link to this blog post.  Up until December 1, 2014, this email had scammed over 2100 victims worldwide, with a total loss of over 214 million dollars.  The FBI is confident this amount will continue to increase.

 

The FBI calls it the

“Business Email Compromise” (BEC)

The FBI states “Victims may also first receive “phishing” e-mails requesting additional details of the business or individuals being targeting (name, travel dates, etc.).  Some victims reported being a victim of various scareware or ransomware cyber intrusions immediately preceding a BEC scam request.”

The intial phishing emails and/or ransomware attacks are used to drop keyloggers and trojans on the workstations of an employee.  With these credentials, they tunnel into the network and put keyloggers on C-level executive workstations.  After studying the traffic, the cybercriminal craft an email that is carefully and artfully spoofed, to look as legit as possible.

Your C-level executive receives a business email from an existing, well-known vendor who requests a wire transfer to a specific bank account.  The email looks legit, and it comes from a known, trusted business associate, and is about a recent delivery or transaction.

The wire transfers rapidly get forwarded and transferred several times, usually ending up in  Hong Kong banks (Chinese Cyber mafia).

There are 3 different versions of this scam, targeting different businesses, but the characteristics are the same:

• Businesses and personnel using open source email are most targeted.
• Individuals responsible for handling wire transfers within a specific business are targeted.
• Spoofed e-mails very closely mimic a legitimate email request.
• Hacked e-mails often occur with a personal email account.
• Fraudulent email requests for a wire transfer are well-worded, specific to the business being victimized, and do not raise suspicious to the legitimacy of the request.
• The phrases “code to admin expenses” or “urgent wire transfer” were reported by victims in some of the fraudulent email requests.
• The amount of the fraudulent wire transfer request is business specific; therefore, dollar amounts requested are similar to normal business transaction amounts so as to not raise doubt.
• Fraudulent emails received have coincided with business travel dates for executive whose emails were spoofed.
• Victims report that IP addresses frequently trace back to free domain registrars.

How Do You Prevent CyberCriminals from Accessing Your Network?

1.  Alert executives to this scam.
2. Most of these scams start the same way – “phishing“ emails.  Make sure you (and your coworkers, colleagues, employees, etc) don’t click on any suspicious emails.
3. Read the IC3 Alert in full, and apply their Suggestions For Protection.

 

Bugged by viruses, malware, ransomware?

Call 1-204-800-3166

For A Cyber-Extermination!

 

PHISHING SCAM:  

ISIS WARNS POLICE ABOUT ATTACKS IN 2015

A major phishing campaign claiming ISIS attacks, has been found in Australia.

Although you may think that this does not affect you, being on the other side of the globe, but think again!  Cyber-Gangs use very modern techniques like Agile software development, beta testing and more.  English-speaking countries like Australia and the U.K. are used to test and fine-tune malware campaigns.  Once they’ve perfect the ‘art’, they unleash the campaign on the U.S. and Canada.

The good thing is, we get advance warning when Cyber-Gangs do this, and have a short period of time to warn co-workers, employees, colleagues, and everyone you can think of.  Because if they find just 1 victim that clicks, it will spread quickly!

Cyber Criminals are using hoax “breaking news!” events more and more to get people to click on links or open attachments.  At the moment there is a scam email which claims that ISIS has warned Australian Police about new attacks in Sydney during 2015.  The email asks recipients to open an attached Word document to read a detailed news story about the supposed attack threats.

The claims in the email are bogus and the attached document is infected with malware.  There is no credible news or police reports about such a warning from ISIS.  You are very likely to get scam emails claiming ISIS attacks like this at both home and business email.

Do Not Open Them, Do Not Click Links, Do Not Open Attachments.  

DELETE THESE EMAILS IMMEDIATELY.

 

Got Malware, Viruses, or Bugs?

Call 1-204-800-3166

To Get De-Bugged!

Email Claiming To Be From Law Firm Delivers Malware Instead of Justice.

“Internet scammers are sending emails claiming to come from a real law firm called ‘Baker & McKenzie’.  The email states you are scheduled to appear in court & should click a link to view a copy of the court notice.

The email is NOT from Baker & McKenzie, and has NO connection to the firm.  It is an attempt by cyber criminals to trick you into trying to prevent a negative consequence.  If you click on the link, you download and install malware.

 

 

 

 

 

 

In the recent past, there have been a series of these “court appearance” malware attacks that claim to be from law firms or government entities.

If you get one of these scam emails, DO NOT CLICK any links or open any attachments.  

DELETE THESE EMAILS IMMEDIATELY!

 

Think you have malware, spyware, or a virus?

Call TbyD at 1-204-800-3166

We’ll get you bug-free in no time!

2014 has been a year chock-full of Malware, Spear-Phishing, and Viruses, and the infamous CryptoLocker (and the following variations).

2014 has also been a rude awakening for some companies regarding I.T. security.

Mike Rogers, chairman of the House Permanent Select Committee on Intelligence noted in the WSJ Dec 25, 2014:

“In 10 years on the House Intelligence Committee I’ve watched a range of national security threats grow and evolve, but none as quickly as cyberwarfare.”

Mike mentions 2 recent examples, the Sony hack and the recent FIN4 gang who hacked into 100 public companies to grab insider information so they could manipulate the stock market.  He predicts more of this to come, and urges congress to expand the private-sector’s access to government-classified cyberthreat intelligence.

Shawn Henry, president of cybersecurity firm CrowdStrike Services and a former executive assistant director of the FBI said:  “It’s going to take some attacks much greater than what we’re seeing at Sony to allow the public to change course and say, ‘OK, we get it. We recognize how dangerous this is.'”

Here at Technology by Design, we hope you see how serious and important I.T. Security is, before it’s too late.

 

 

 

2015 Top 10 I.T. Security Predictions:

1. The Sony hack is claimed to be a harbinger for more nation-state attacks on private sector organizations.  Expect a major energy blackout with the press calling it a successful cyber attack on a U.S. energy infrastructure company and blaming Iran, DPRK, China, or Russia, but it turns out to be “rats and squirrels, gnawing on electrical cables.”
2. State-sponsored, APT hacking groups will start to merge/cooperate/subcontract with criminal hacking campaigns like those targeting JP Morgan Chase to perform spying activities, steal IP and/or gather intelligence about vulnerabilities in critical infrastructure systems for these foreign governments.
3. The Financial- and Defense Industry have doubled their I.T. security budgets in 2014, and during 2015 several other sectors will follow their example, specifically Technology, Healthcare, Manufacturing, and Government.
4. Breach detection tools are now making their way into the enterprise, but correctly responding to a data breach is still very hard.  Often CEOs will buy the tools, but not the people to run them.  Count on a Sony-like chaos-and-panic response from a major healthcare organization driving it out of business.
5. With the event of renewed interest in mobile payment, cybercrime’s attention will get focused on this lucrative combo of “mobile & money”.  It’s predicted that Apple Pay will be compromised somehow in 2015, and that a new Apple-specific ransomware will spread via phishing attacks on iPhones, targeting cloud accounts.
6. 2015 will be the year that trust in effective protection by just antivirus is mostly lost, and additional layers like software whitelisting and breach detection are going mainstream.
7. We have not seen the end of POS attacks, but since retailers are going to harden the POS endpoints, cyberheists will move to “middle layer” targets which means payment processors and third-party POS management infrastructure.  When “chip-and-pin” finally rolls out, big breaches will finally taper off.
8. One of the major companies that was infected in 2014 will not move fast enough to shore up their security infrastructure, and will get reinfected in 2015, resulting in again losing millions of credit cards.  Consumers will have gone into deep breach-fatigue and dismiss the risk.
9. Board Rooms will realize that “culture trumps compliance” and start top-down security culture initiatives, assisted by technology-driven ethics and compliance programs, which include mandatory security awareness training for all employees.
10. 2014 saw a 650% increase in social media spam and 99% of these malicious URLs led to malware or phishing sites.  Expect this to grow another 400% in the next 12 months.

 

As I’ve said before, cybercriminals don’t take holidays.  Instead, they use holidays and disasters to work overtime to try to catch you while your guard is down.

3 Scams To Watch For:

1.  Phishing emails and Facebook messages claiming that the missing AirAsia Flight QZ8501 has been found..   The message includes a teaser image of a crashed AirAsia jet and invite users to click a “Play” button to view “breaking news footage”.  Do NOT click on the link – it will fill your pc with malware.

 2.  Apple Watch scams.  The new Apple Watch will be incredibly popular and be used for a variety of scams that try to infect workstations with malware.  There will be lotteries, giveaways, “Free Apple Watch” contests, and promises that if you buy something, you will get an Apple Watch thrown in the deal at no cost.  Remember:  If a deal sounds too good to be true…IT IS!

 3.  Anything related to “The Interview”.  Cybercriminals have now created an app that researchers at McAfee identified started in South Korea in the last few days, attempting to exploit the media frenzy related to “The Interview” movie.  There is a torrent download, and it poses as an Android App to download the movie to mobile devices.  It’s a banking Trojan.  Be careful not to download anything related to “The Interview” unless you are 100% sure it comes from a legit source.  And if you really want to see the movie, go to that website yourself, do not click on any link in an email promising to play the movie.

 

Got Cyber-Bugs?

Call 1-204-800-3166

For Cyber-Extermination!

Unless you live under a very large rock, you’ve heard about the hack at Sony, and the fallout that occurred afterwards.  

As with everything, there are lessons that are to be learned from the security breach.  

Lessons that even small businesses can learn from Sony’s mistakes…

 

In IT security, there are 2 types of attacks:  opportunistic and targeted.  

There are 2 ways to assess hackers:  skill and focus.  

Using this assessment, there are 3 levels of hackers:

1. Hackers using point-and-click hacking tools are low-skill and low-focus.  They grab what they can if the low-hanging fruit (ie the no IT security) is available.
2. Hackers that have high-skill, but low-focus are the causes of the high-profile attacks we read about in the newspaper regularly (Target, Home Depot, JP Morgan Chase, and now Staples).
3. Sony is a good example of high-skilled and high-focus hackers.  A large hacking team from (allegedly) the Democratic People’s Republic of (North) Korea (DPRK) hacked into Sony and, for all intensive purposes, shut them down.  Sony didn’t make the hackers’ job too hard, by using third-rate security.

Assuming it wasn’t an inside-job, there are 3 ways the Sony hackers could have gotten in:  Mis-configured servers that allowed unauthorized access; Software vulnerabilities, either known holes or unknown zero-days; or Social engineering untrained employees that simply allow the hackers in by clicking on a spear-phishing link.

What are the lessons that can be learned, and used, by other businesses?

1.  If you are the target of a high-skilled, high-focus attack, you can count on them getting inside.  Your focus should be on defending the most important of your data, and make sure it does not get exfiltrated (stolen).  The fact that Sony did not notice terabytes of data leaving their network is an example of third-rate security.  

Lesson:  Use ecryption and breach detection tools.

2.  If you handle a lot of credit cards, Russian cybercriminals has you in their cross-hairs, but with a million other businesses.  This type of hacker is in it for the cash, and their time is money – if they encounter proper security, they will move to a weaker target.  If Home Depot would have upgraded their POS system in time from XP to Windows 7, their systems would not have had the security holes, and they wouldn’t have been hacked.  Good security, and up-to-date software, makes the hackers’ jobs a lot harder, more expensive, and more risky for them.  

Lesson:  Create enough IT security budget to give your IT security team (or person) the time and tools to implement security best practices.  Make sure the software you are using is up-to-date, and security patches that are released regularly by the software company, are being installed.

3.  As evidenced by the high-profile cases of Home Depot, etc., a lot of businesses do not look at their IT security until after they have been hacked.  The time to start thinking of IT security is BEFORE the attack, and be prepared.  IT security is really 3 things:  Protection, Detection, and Response.  

Lesson:  “You need prevention to defend against low-focus attacks, and to make targeted attacks harder.  You need detection to spot the attackers who inevitably get through.  And you need response to minimize the damage, restore security, and manage fallout.”

Think your business is too small to worry about security?  

The fact is, it’s not very hard to hack into a computer system that has little or no security.  

Think about the fallout if your computer system got hacked.  What information would you lose:  pictures, personal information, banking information, financial information…and now the REALLY scary stuff…customers’ personal information, customers’ financial information, customers’ credit card information.  

Not to mention the difficulty in retrieving that information, and putting your computer system back together, think about the legal ramifications and business lost.

Got Cyber-Bugs?

Call 1-204-800-3166

For Cyber-Extermination!

2014 has been a year full of hoax stories, malware, and cybercrime.  It’s also seen a boom in hoax new stories, as these are extremely successful social engineering tactics used by hackers to get people to click on links, and worse, share the news with their friends and become part of the spread of infection.

At the moment, there is a spike in hoax stories that spread malware and infect your phone and computer.  Cyber-criminals use all the tricks in their black book to get you to click on and share hoax stories with your friends.  This happens on Facebook, popular websites, they are sent straight into your inbox, and even major news outlets are sharing them unknowingly.

Be on the lookout for these 5 hoaxes:

1. Stories that urge you to share something before you have even read them.
2. Celebrity deaths are increasingly being used to shock people into clicking on links and making a zombie out of their PC or lock their smartphone with ransomware.  Recent example:  Will Smith.
3. Very violent video news reports that draw your attention with “Warning:  Graphic Content”, and lurid titles like “Giant Snake Swallows Zookeeper”.
4. Outrageous stories about Facebook itself, like it will start charging for the service, it sells your personal information, a way to show you who looked at your page, or other claims that might upset your and lure you to click on a link.
5. And last, especially in this season of charity, heartrending reports about dying girls that beg you for “likes” so they can obtain drugs or hospital treatment.

Cybercrime is moving to mobile malware with astonishing speed, so be especially careful clicking/tapping on suspicious things on your smartphone.  Anything you received, but didn’t ask for, watch out because your phone may get locked with mobile ransomware.

Call for a FREE Network Security Analysis!

Already infected?  We’ll exterminate & get you bug-free for the holidays!

1-204-800-3166

We Make I.T. Work!

ALERT:  Fined for Unpatched Software

Anchorage Community Mental Health Services (ACMHS) was recently hit with a $150,000 fine for failing to apply software patches.  

ADMHS is a five-facility, non-for-profit organization providing behavioral healthcare services to children, adults, and families.

This HIPAA settlement in the Alaska case marks the 1st time The Department of Health and Human Services’ Office for Civil Rights has levied a penalty tied to unpatched software, which is not specifically addressed in the HIPAA Security Rule.  The OCR opened an investigation after receiving notification from ACMHS regarding a breach of unsecured electronic protected health information (ePHI) affecting 2,743 individuals due to malware compromising the security of the mental health provider’s information technology resources.

OCR’s investigation revealed that ACMHS had adopted sample HIPAA Security Rule policies and procedures in 2005, but these were not followed.  The security incident was the direct result of ACMHS failing to identify and address basic risks, such as not regularly updating software with available patches and running outdated, unsupported software, OCR says.

“ACMHS failed to implement technical security measures to guard against unauthorized access to e-PHI that is transmitted over an electronic communications network by failing to ensure that firewalls were in place with threat identification monitoring of inbound and outbound traffic and that information technology resources were both supported and regularly updated with available patches,” says the OCR resolution agreement with ACMHS.

In addition, OCR says that contributing to the incident was ACMHS’ failure to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of e-PHI.

OCR Director Jocelyn Samuels states:

 “Successful HIPAA compliance requires a common sense approach to assessing and addressing the risks to ePHI on a regular basis.  This includes reviewing systems for unpatched vulnerabilites and unsupported software that can leave patient information susceptible to malware and other risks.”

Independent HIPAA and healthcare attorney Susan A. Miller states:

“This is a wake up call that people should be looking very closely at the security risk assessment tools available from ONC and OCR, as well as NIST [National Institute of Standards and Technology].”

“The lesson here is that when a software patch or update is sent by a vendor, they should be applied immediately,” Miller adds.  “That includes operating systems, electronic health records, practice management – and any electronic tool containing PHI.”

Our personalized Monthly Service Plans make sure your patches are up-to-date, and your system is safe and secure!

Call us for a Network Security Analysis!

1-204-800-3166

We Make I.T. Work!